rolandraijmakers
commented
1 year ago Hello Koen,
I've done some research. It seems that the KeePassOnedrive Plugin doesn't send back the deviceid from my laptop within the authorization request. The conditinal access rule set in intune checks for compatible and authorized devices. This happens when i use the first sync option where authentication is done via my default browser (Google Chrome with the Windows 10 accounts extension or Microsoft Edge with builtin Windows 10 accounts extension). Conditional Access rules define two things; a know device within our organisation and a compliant device. As long as the device id is left out of the authorization request, the reguest will be rejected.
To be more specific: the device ID is the device Id in Azure AD. From another application I see in the logging following on my account in Azure information
- Device ID (Within Azurde AD / Intune) ; not posted for security reasons
- Browser: Chrome 108.0.0
- Operating system: Windows 10
- Compatible (within Intune) : Yes
- Managed (within Intunte) : Yes
- Jointype: Azure AD joined
From our system engineer I also got the suggestion that Microsoft has ended support for Basic Authentication sinds october 1st. Only Modern authentication is supported.
I have workarround and that is to use the second authorization option (Built in browser). and saving te login tokens on my local computer. This option I rather not use because I think the first sync option is safer.
Roland Raijmakers
Describe your question The conditional Access rule gives 'Success', but where still not able to login. Screenshots See log detail at end of this question
Versions (please complete the following information):
Authentication method
KeePass database synced with
Details
Date 31/10/2022, 15:25:20 Request ID f3b2f186-5fa5-464f-8cc5-ef3de9aa1a00 Correlation ID c07062d5-32f8-414f-b8a2-78a8bbde4de1 Authentication requirement Multifactor authentication Status Failure Continuous access evaluation No Sign-in error code 530033 Failure reason Remote device flow blocked due to device based conditional access. Additional Details This request is authorizing a remote device, and there is a conditional access policy that requires device authentication. The request is blocked because we cannot assert the properties of the remote device. View the Conditional Access information for this request in the sign-in logs for more details about the policy applied here. Troubleshoot Event
Follow these steps:
User Roland Raijmakers Username r.raijmakers@boladviseurs.nl User ID 2cbe6d44-22b9-4637-b54e-c8ae4458b88d Sign-in identifier User type Member Cross tenant access type None
Application Koen Zomers OneDrive Sync v2
Application ID 7bcec80a-2ffe-4713-b9ea-0150361c8209
Resource Microsoft Graph Resource ID 00000003-0000-0000-c000-000000000000 Resource tenant ID e615e47b-7994-469f-9303-f4f0c2e5cbc2 Home tenant ID e615e47b-7994-469f-9303-f4f0c2e5cbc2 Home tenant name Client app
Mobile Apps and Desktop clients Client credential type None Service principal ID Service principal name Resource service principal ID 50a6f207-0d45-4e22-9d56-9c7f6b071dce Unique token identifier hvGy86VfT0aMxe896aoaAA Token issuer type Azure AD Token issuer name Incoming token type Primary refresh token Authentication Protocol None
Latency 253ms Flagged for review Yes User agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
################################################################################################ Conditional Access Policy details Policy: Windows, Linux and MacOS Policy state: Enabled Result: Failure
Assignments User Roland Raijmakers Matched
Application Koen Zomers OneDrive Sync v2 Matched (All apps included)
Conditions Device platform Matched Location Gennep, NL Matched 94.208.30.174
Client app Mobile Apps and Desktop clients Matched
Device 10cf706e-25dc-4943-83f9-aee2e5ec9c6b Not configured User risk Not configured Access controls
Grant Controls Not satisfied Require compliant device Session Controls Not configured